You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by gs...@apache.org on 2015/11/26 23:48:55 UTC

svn commit: r1716781 - in /qpid/trunk/qpid/cpp/src: qpid/broker/amqp/Session.cpp tests/acl_1.py

Author: gsim
Date: Thu Nov 26 22:48:55 2015
New Revision: 1716781

URL: http://svn.apache.org/viewvc?rev=1716781&view=rev
Log:
QPID-6754: ensure anonymous-relay doesn't expose ability to detect whether or not entity exists for those without permissions

Modified:
    qpid/trunk/qpid/cpp/src/qpid/broker/amqp/Session.cpp
    qpid/trunk/qpid/cpp/src/tests/acl_1.py

Modified: qpid/trunk/qpid/cpp/src/qpid/broker/amqp/Session.cpp
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/src/qpid/broker/amqp/Session.cpp?rev=1716781&r1=1716780&r2=1716781&view=diff
==============================================================================
--- qpid/trunk/qpid/cpp/src/qpid/broker/amqp/Session.cpp (original)
+++ qpid/trunk/qpid/cpp/src/qpid/broker/amqp/Session.cpp Thu Nov 26 22:48:55 2015
@@ -968,6 +968,7 @@ void AnonymousRelay::handle(qpid::broker
 {
     // need to retrieve AMQP 1.0 'to' field and resolve it to a queue or exchange
     std::string dest = message.getTo();
+    authorise.access(dest, false, false);
     QPID_LOG(debug, "AnonymousRelay received message for " << dest);
     boost::shared_ptr<qpid::broker::Exchange> exchange;
     boost::shared_ptr<qpid::broker::Queue> queue;

Modified: qpid/trunk/qpid/cpp/src/tests/acl_1.py
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/src/tests/acl_1.py?rev=1716781&r1=1716780&r2=1716781&view=diff
==============================================================================
--- qpid/trunk/qpid/cpp/src/tests/acl_1.py (original)
+++ qpid/trunk/qpid/cpp/src/tests/acl_1.py Thu Nov 26 22:48:55 2015
@@ -270,23 +270,41 @@ class Acl_AMQP1_Tests (VersionTest):
     def test_publish_to_anonymous_relay(self):
         self.acl.allow('bob', 'access', 'exchange', 'name=ANONYMOUS-RELAY')
         self.acl.allow('bob', 'access', 'queue', 'name=acl_test_queue')
+        self.acl.allow('bob', 'access', 'exchange', 'name=acl_test_queue')
         self.acl.allow('bob', 'publish', 'exchange', 'routingkey=acl_test_queue')
         self.acl.allow('bob', 'access', 'exchange', 'name=amq.topic')
+        self.acl.allow('bob', 'access', 'queue', 'name=amq.topic')
         self.acl.allow('bob', 'publish', 'exchange', 'name=amq.topic', 'routingkey=abc')
+        self.acl.allow('bob', 'access', 'exchange', 'name=amq.direct')
+        self.acl.allow('bob', 'access', 'queue', 'name=amq.direct')
         self.acl.allow('alice').deny().apply()
 
         sender = self.bob.sender("<null>")
         sender.send(Message("a message", properties={'x-amqp-to':'acl_test_queue'}), sync=True)
         sender.send(Message("another", subject='abc', properties={'x-amqp-to':'amq.topic'}), sync=True)
         try:
+            # have access permission, but publish not allowed for given key
             sender.send(Message("a third", subject='def', properties={'x-amqp-to':'amq.topic'}), sync=True)
             assert False, "bob should not be allowed to send message to amq.topic with key 'def'"
         except UnauthorizedAccess: pass
         sender = self.bob.sender("<null>")
         try:
+            # have access permission, but no publish
             sender.send(Message("a fourth", subject='abc', properties={'x-amqp-to':'amq.direct'}), sync=True)
             assert False, "bob should not be allowed to send message to amq.direct"
         except UnauthorizedAccess: pass
+        sender = self.bob.sender("<null>")
+        try:
+            # have no access permission
+            sender.send(Message("a fiftth", subject='abc', properties={'x-amqp-to':'amq.fanout'}), sync=True)
+            assert False, "bob should not be allowed to send message to amq.fanout"
+        except UnauthorizedAccess: pass
+        sender = self.bob.sender("<null>")
+        try:
+            # have no access permission
+            sender.send(Message("a sixth", properties={'x-amqp-to':'somewhereelse'}), sync=True)
+            assert False, "bob should not be allowed to send message to somewhere else"
+        except UnauthorizedAccess: pass
         sender = self.alice.sender("<null>")
         sender.send(Message("alice's message", properties={'x-amqp-to':'abc'}), sync=True)
         sender.send(Message("another from alice", properties={'x-amqp-to':'def'}), sync=True)



---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org